SilverStripe

Security Releases

Security Releases

When potential security holes are discovered in SilverStripe CMS, we produce security releases to ensure that you are able to promptly secure your SilverStripe websites (see our security release process). In addition to being available on the Stable Download page and announced on the Release Announcements Google Group, the security releases will be summarized here. Please subscribe to our security release RSS feed to stay updated.

SS-2013-005: Privilege escalation with APPLY_ROLES

CMS users with access to the "Security" admin interface can increase their privileges to ADMIN if they currently just hold the permission "Apply roles to groups" (APPLY_ROLES). They can exploit their access either by assigning privileged permissions to a group they already belong to, or by creating a new role with more privileged permissions.

Only a small number of advanced installations should have this "sub-admin" role set up which makes them vulnerable to this issue. Note that APPLY_ROLES still allows users with access to the "Security" interface to assign themselves to non-privileged permissions such as editing CMS content or CMS settings. This is by design. It is also advised to use the built-in "Only admins can apply" flag on roles which are deemed privileged, which already prevents "sub-admins" from assigning this role to a group they belong to.

This has been fixed by additional validation on the PermissionRoleCode model.

SS-2013-004: Privilege escalation through Group and Member CSV upload

The "Security" admin interface allows import of member and group records from CSV data. CMS users with CMS_ACCESS_SecurityAdmin permission but without ADMIN permissions can increase their CMS privileges through this mechanism. Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

Access to this functionality has been limited to users with the ADMIN permission. If you're using the underlying GroupCsvBulkLoader or MemberCsvBulkLoader classes directly, please ensure they're appropriately secured.

SS-2013-003: Privilege escalation through Group hierarchy setting

CMS users with access to the "Security" admin interface, but without ADMIN permissions, are able to increase their privileges. Since groups inherit permissions from parent groups, any changes to a group that a malicious user belongs to can inherit further privileged permissions. Note: Only a small number of advanced installations should have separate "sub-admin" groups set up which makes them vulnerable to this issue.

This was fixed by limiting group hierarchy changes to those without a set of privileged permissions (CMS_ACCESS_SecurityAdmin, EDIT_PERMISSIONS, APPLY_ROLES, ADMIN), unless the currently logged-in user has ADMIN permissions already.

SS-2013-001: Require ADMIN for ?flush=1

Flushing the various manifests (class, template, config) is performed through a GET parameter (flush=1). Since this action requires more server resources than normal requests, it can facilitate denial-of-service attacks.

To prevent this, main.php now checks and only allows the flush parameter in the following cases:

This applies to both flush=1 and flush=all (technically we only check for the existence of any parameter value) but only through web requests made through main.php - CLI requests, or any other request that goes through a custom start up script will still process all flush requests as normal.